b"      United States Department of Agriculture\n\n\n\n\nOffice of Inspector General\nUSDA's Implementation of Cloud\nComputing Services\n\n\n\n\n                                       50501-0005-12\n                                       September 2014\n\x0c\x0c                                       USDA\xe2\x80\x99s Implementation of Cloud Computing Services\n\n                                                        Audit\xc2\xa0Report\xc2\xa050501-0005-12\xc2\xa0\n\n\n\nWhat Were OIG\xe2\x80\x99s\nObjectives\n\nOur objective was to evaluate\nUSDA agencies\xe2\x80\x99 efforts to\nadopt cloud computing\ntechnologies and review           OIG reviewed the implementation of commercial cloud\ncontracts that agencies have      computing environments in USDA.\nissued for cloud services for\ncompliance with applicable        What OIG Found\nstandards.\n                                  The Department of Agriculture (USDA) has incorporated cloud computing\nWhat OIG Reviewed                 into its overall information technology (IT) environment, but the Office of\n                                  Inspector General (OIG) found that the Department does not have a\nWe reviewed 6 contracts, with     complete inventory of its cloud systems, due to poor inventory management\na reported value of               and the inconsistent application of the definition of a cloud computing\napproximately $68.5 million,      system. We found that even though USDA has an official system of record\nwhich were selected from a        for its inventory of IT systems, 17 of the 31 cloud systems were not included\nuniverse of 31 contracts, with    in the inventory, and 8 additional systems were in the inventory, but not\nan approximate value of           marked as cloud systems. Additionally, the level of detail included within\n$128.2 million. Cloud             the contracts for procuring the systems varied across our sample, with all six\ncomputing contracts were          reviewed contracts lacking details required by Federal guidelines. Finally,\nreviewed for inclusion of         only two of the six cloud service providers tested met the requirements to\ndetailed specifications and       become Federal Risk and Authorization Management Program (FedRAMP)\ncompliance with the June 5,       compliant by June 5, 2014.\n2014, FedRAMP requirement.\n                                  These issues occurred because the offices and agencies have adopted cloud\nWhat OIG Recommends               computing technologies without clear guidance, including a USDA-wide\n                                  definition of what constitutes a cloud computing system. USDA does not\nOIG recommends that USDA          have an adequate process for inventory management, standardized contract\nestablish a consistent            language for cloud computing services, and an organized approach to ensure\ndefinition of cloud computing,    cloud systems meet FedRAMP requirements.\ncreate and maintain an\naccurate inventory of its cloud   USDA does not have adequate controls in place to manage its cloud service\nsystems, and develop a guide      providers and the data that reside in these systems. As a result, USDA\xe2\x80\x99s\nfor procuring cloud systems       data are exposed to risk of loss or disclosure to unauthorized parties, which\nthat details specifications and   could compromise the Department\xe2\x80\x99s programs and producer data.\nsecurity requirements. The        Furthermore, because five of six contracts (totaling approximately\nDepartment also needs a           $66.9 million) did not specify how a provider\xe2\x80\x99s performance was to be\ndetailed plan for becoming        measured, reported, or enforced, the agencies are not able to ensure adequate\nFedRAMP compliant.                service levels are met, increasing the risk that USDA funds could be\n                                  misspent or ineffectively used.\n\n                                  USDA generally concurred with our findings.\n\x0c\x0c                           United States Department of Agriculture\n                                   Office of Inspector General\n                                    Washington, D.C. 20250\n\n\nDATE:          September 26, 2014\n\nAUDIT\nNUMBER:        50501-0005-12\n\nTO:            Cheryl Cook                                    Brandon Willis\n               Chief Information Officer                      Administrator\n               Office of the Chief Information Officer        Risk Management Agency\n               ATTN: Christopher Wren                         ATTN: Heather Manzano\n\n               Lisa Wilusz                                    Jason Weller\n               Director                                       Chief\n               Office of Procurement and Property             Natural Resources Conservation\n               Management                                     Service\n               ATTN: Lennetta Elias                           ATTN: Leon Brooks\n\n               Roger Klurfeld\n               Director\n               National Appeals Division\n               ATTN: Steven Placek\n\nFROM:          Gil H. Harden\n               Assistant Inspector General for Audit\n\nSUBJECT:       USDA\xe2\x80\x99s Implementation of Cloud Computing Services\n\n\nThis report presents the results of the subject audit. Your written response, dated\nSeptember 22, 2014, is included in its entirety at the end of the report. Excerpts from your response\nand the Office of Inspector General\xe2\x80\x99s (OIG) position are incorporated in the relevant sections of the\nreport. Based on your written response, we accept management decision on Recommendations 4, 5,\n6, and 7. We are unable to accept management decision on Recommendations 1, 2, and 3. The\ndocumentation or action needed to reach management decision for these recommendations is\ndescribed under the relevant OIG Position sections.\n\nIn accordance with Departmental Regulation 1720-1, please furnish a consolidated reply,\ncoordinated by the Office of the Chief Information Officer, within 60 days describing the\ncorrective actions taken or planned, and timeframes for implementing the recommendations for\nwhich management decisions have not been reached. Please note that the regulation requires\nmanagement decision to be reached on all recommendations within 6 months from report\n\x0cCheryl Cook, et al.                                                                            2\n\n\nissuance, and final action to be taken within 1 year of each management decision to prevent\nbeing listed in the Department\xe2\x80\x99s annual Agency Financial Report. Please follow your internal\nagency procedures in forwarding final action correspondence to the Office of the Chief Financial\nOfficer.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during our\naudit fieldwork and subsequent discussions. This report contains publically available\ninformation and will be posted in its entirety to our website (http://www.usda.gov/oig) in the\nnear future.\n\x0cTable of Contents\n\nBackground and Objectives ................................................................................... 1\nSection 1: Cloud Inventory Management ............................................................. 3\nFinding 1: USDA Must Develop an Accurate Cloud System Inventory............ 3\n         Recommendation 1 ........................................................................................4\n         Recommendation 2 ........................................................................................5\nSection 2: Cloud Contracting ................................................................................ 6\nFinding 2: USDA Needs to Include More Detailed Specifications in Its Cloud\nContracts .................................................................................................................. 6\n         Recommendation 3 ......................................................................................10\nSection 3: FedRAMP Compliance ...................................................................... 11\nFinding 3: USDA and CSPs Must Meet FedRAMP Requirements ................. 11\n         Recommendation 4 ......................................................................................12\n         Recommendation 5 ......................................................................................12\n         Recommendation 6 ......................................................................................13\n         Recommendation 7 ......................................................................................13\nScope and Methodology ........................................................................................ 15\nAbbreviations ........................................................................................................ 16\nExhibit A: Summary of Monetary Results ......................................................... 17\nAgency's Response ................................................................................................ 19\n\x0c\x0cBackground\xc2\xa0and\xc2\xa0Objectives\xc2\xa0\nBackground\nCloud computing is a term used to define information technology (IT) systems, software, or\ninfrastructure that are packaged and provided to customers by a service provider. The National\nInstitute of Standards and Technology (NIST) describes cloud systems as having five essential\ncomponents, which are:\n\n    \xc2\xb7   On-demand self-service: The customer is able to unilaterally provision computing\n        capabilities with the service provider, as needed, without requiring human interaction.\n\n    \xc2\xb7   Broad network access: The capabilities (e.g., storage, servers, databases) of the service\n        provider are accessed by the customer through a network connection.\n\n    \xc2\xb7   Resource pooling: The customer shares vendor services with other customers.\n\n    \xc2\xb7   Rapid elasticity: The service provider\xe2\x80\x99s system allows the customer to rapidly expand or\n        contract required computing resources.\n\n    \xc2\xb7   Measured service: The customer\xe2\x80\x99s payment for use of the cloud system is determined by\n        a measured capability (e.g., seat licenses, storage used).1\n\nCloud computing offers the potential for significant cost savings through more efficient\nprovisioning of computing resources, flexible payments that increase or decrease based on\nresources needed, and a decreased need to buy hardware or build data centers.\n\nTo accelerate the Federal Government\xe2\x80\x99s use of cloud-computing strategies, the U.S. Chief\nInformation Officer published the Federal Cloud Computing Strategy, requiring agencies to\nevaluate safe, secure cloud computing options before making any new investments.2 Due to this\n\xe2\x80\x9cCloud First\xe2\x80\x9d policy, Federal agencies are to evaluate cloud services for new IT projects in an\neffort to realize the value of cloud computing through cost savings.\n\nIn addition to risks that resemble those of in-house information systems, cloud technologies have\nrisks that are unique to the system\xe2\x80\x99s deployment. For example, when using a cloud system, the\ncustomer relinquishes the ability to govern the system. Specifically, the client cedes control to\nthe cloud service provider (CSP) on a number of issues which may affect the system\xe2\x80\x99s security.\nAt the same time, Service Level Agreements (SLA) may not require CSPs to offer such services,\nthus leaving a gap in security defenses.3\n\n\n\n1\n  NIST Special Publication (SP) 800-145, The NIST Definition of Cloud Computing, September 2011.\n2\n  Kundra v. Federal Cloud Computing Strategy, February 8, 2011.\n3\n  European Network and Information Security Agency (ENISA) Cloud Computing: Benefits, Risks and\nRecommendations for Information Security, November 2009.\n\n                                                                      AUDIT REPORT 50501-0005-12    1\n\x0cTo effectively manage the delivery of cloud-computing services, agencies should develop\ncontracts that address business and security risks, as well as properly define and provide a\nmechanism to monitor agency and CSPs\xe2\x80\x99 responsibilities. Additionally, agencies must have\nstrong governance practices in place, including organizational control and oversight of policies,\nprocedures, and standards for IT service acquisition and for monitoring the use of cloud services.\n\nIn a previous audit, we identified security issues related to cloud computing. Specifically, in the\nfiscal year 2012 USDA Federal Information Security Management Act (FISMA) report, we\nrecommended that the Office of the Chief Information Officer (OCIO) modify its service\nagreement between the Department and its e-mail CSP to incorporate appropriate detail,\noutlining the roles and responsibilities of each party pertaining to incident response and\nreporting.4\n\nBased on the risks surrounding cloud computing, a proposal was submitted by the National\nAeronautics and Space Administration OIG to the Council of the Inspectors General on Integrity\nand Efficiency (CIGIE) for a Government-wide audit initiative on the implementation of cloud\ncomputing at Federal agencies. The audit plan was approved by the CIGIE IT Committee and\nthe results from USDA OIG\xe2\x80\x99s audit will be consolidated, along with results from other\nparticipating OIGs, into a CIGIE report.5\n\nObjectives\nOur objective was to evaluate USDA agencies\xe2\x80\x99 efforts to adopt cloud-computing technologies\nand review contracts that agencies have issued for cloud services for compliance with applicable\nstandards.\n\n\n\n\n4\n  Audit Report 50501-0003-12, U.S. Department of Agriculture, Office of the Chief Information Officer, Fiscal Year\n2012Federal Information Security Management Act, November 2012.\n5\n  To be released under Audit Report 50501-0007-12.\n\n2     AUDIT REPORT 50501-0005-12\n\x0cSection\xc2\xa01:\xc2\xa0Cloud\xc2\xa0Inventory\xc2\xa0Management\xc2\xa0\xc2\xa0\nFinding 1: USDA Must Develop an Accurate Cloud System Inventory\nWe determined USDA does not have an inventory that includes all of its cloud systems. More\nspecifically, we found that even though USDA has an official system of record for its inventory\nof IT systems, 17 of the 31 cloud systems were not included in the inventory, and 8 additional\nsystems were in the inventory, but not marked as cloud systems. This occurred because the\nDepartment lacks a sufficient inventory management process and not all agencies were following\nthe NIST definition of cloud computing when designating a system as a cloud system. As a\nresult, the Department does not know the number and type of its cloud systems and associated\ndata that reside outside of USDA information system boundaries, which increases the risk that\ndata could be disclosed to unauthorized parties.\n\nThe Office of Management and Budget (OMB) requires Federal agencies to follow NIST\nguidance.6 According to NIST, Federal agencies need to develop and document an inventory of\ninformation system components that: (1) accurately reflects the current information system,\n(2) includes all components within the authorization boundary of the information system, and\n(3) includes the granularity deemed necessary for tracking and reporting.7\n\nIn addition, an inventory of hardware and an inventory of software are the number one and two\ncontrols listed in the Council on Cybersecurity\xe2\x80\x99s Critical Security Controls.8 These two\ninventories are considered two of the basic controls for building a secure network. The critical\ncontrols are a recommended set of actions for cyber defense that provide specific and actionable\nways to mitigate the most pervasive attacks. Attackers are continuously scanning the address\nspace of target organizations, waiting for new and unprotected systems to be attached to a\nnetwork. Therefore it is critical to maintain an asset inventory of all systems connected to the\nnetwork, including the network devices themselves, and to include every system that has an\nInternet protocol address on the network. Without an accurate and complete cloud system\ninventory, agencies cannot ensure the appropriate controls are in place to protect the systems and\ntheir data.\n\nAccording to OCIO, Cyber Security Assessment and Management (CSAM) is the official system\nof record for the inventory of IT systems within USDA.9 However, when we began validating\nthe initial inventory of 21 cloud systems that were identified from survey results submitted by\n\n6\n  OMB M-14-04, Fiscal Year 2013 Reporting Instructions for the Federal Information Security Management Act\nand Agency Privacy Management, November 18, 2013.\n7\n  NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations,\nApril 2013.\n8\n  A consortium of U.S. and international agencies and experts from private industry around the globe contributed to\nthe creation of the Critical Security Controls. They provided recommendations for what ultimately became the\nCritical Security Controls, which were coordinated through the SANS Institute. In 2013, the stewardship and\nsustainment of the controls was transferred to the Council on Cyber Security, an independent, global non-profit\nentity committed to a secure and open Internet.\n9\n  SOP-ISD-007, Information Technology Inventory Reconciliation and Certification, April 28, 2009.\n\n                                                                          AUDIT REPORT 50501-0005-12              3\n\x0cUSDA agencies and offices, we identified additional systems that were not reported to us, as\nwell as systems that needed to be removed from the audit universe because they were not\nconsistent with NIST\xe2\x80\x99s definition of a cloud system. Once we had established the audit universe\nof 31 cloud systems, we compared it to CSAM. We found 25 of the 31 identified systems and\nsupporting documentation were not included in CSAM. Due to USDA\xe2\x80\x99s inability to provide an\naccurate inventory of its cloud systems, along with the fact that systems and supporting\ndocumentation were missing from CSAM, we have concluded that a complete inventory of\nUSDA cloud systems does not exist. This occurred because the Department lacks a sufficient\ninventory management process for cloud systems. Although USDA has an inventory\nmanagement process in place, it relies on agencies to manually report their systems to OCIO for\ntracking. USDA is a geographically diverse organization with 24 Chief Information\nOfficers (CIO) responsible for the IT management of 34 agencies and staff offices. This\ndecentralized nature of IT management throughout USDA provides challenges with maintaining\nan accurate and complete inventory. Additionally, USDA has not consistently followed or\nenforced the NIST definition of cloud computing systems. Our testing determined that agency\nofficials were not adhering to the NIST definition of cloud computing. In effect, agencies were\nleft to make their own determinations on what constitutes a cloud system. Consequently, there is\nno way to certify that USDA knows of all cloud systems within the Department. In turn, this\nmeans that the Department cannot identify all program data that reside in these systems. Without\nsuch knowledge, USDA cannot ensure the appropriate controls are in place to protect each\nsystem and its data. These risks include isolation failure, interception of data in transit, and\ninsecure/ineffective deletion of data, which could expose agency data to unauthorized parties and\npotentially compromise the objectives of the agencies\xe2\x80\x99 programs.10\n\nIn conclusion, USDA needs to ensure that it has an accurate and complete inventory of its cloud-\nbased systems.\n\nRecommendation 1\n\nOCIO needs to establish a definition of cloud computing systems for use within USDA that is\nconsistent with NIST guidance.\n\nAgency Response\nOCIO accepts this recommendation. OCIO has completed a draft cloud policy that is consistent\nwith NIST guidance, and contains a comprehensive definition of cloud computing systems. The\ndraft is being vetted internally to OCIO for review and comment, prior to being released for\nformal Department-wide coordination and approval. The estimated completion date is\nNovember 30, 2016.\n\n\n10\n  Isolation failure is the risk that the mechanisms used to keep cloud tenants\xe2\x80\x99 data separate fail, thus exposing\nsensitive data to other tenants within the cloud deployment. Intercepting data in transit is the risk that as data are\nbeing sent to/from the cloud service, data traffic could be intercepted via sniffing or man-in-the-middle attacks.\nInsecure/ineffective deletion of data is the risk that once a cloud service contract is terminated, not all data within\nthe cloud can be, or are, securely deleted due to the nature of the data storage within the cloud.\n\n4      AUDIT REPORT 50501-0005-12\n\x0cOIG Position\nWe are unable to reach management decision based on OCIO\xe2\x80\x99s response. Although we agree\nwith the issuance of a cloud computing policy, we believe interim measures are needed if the\npolicy will not be ready for publication until November 30, 2016. In order to reach management\ndecision, OCIO needs to provide OIG with interim milestones prior to the proposed publication\ndate of the policy.\n\nRecommendation 2\nOCIO needs to create and maintain an accurate cloud system inventory and work with agencies\nto ensure their adherence to reporting requirements.\n\nAgency Response\nOCIO accepts this recommendation. OCIO will collaborate with USDA agencies to review CSP\nsystems in CSAM and develop guidelines as to how CSP systems are to be recorded in CSAM so\nthat future reporting is complete and accurate. The estimated completion date of the CSAM\nCloud System Inventory Guide is January 30, 2016.\n\nOIG Position\nWe are unable to reach management decision based on OCIO\xe2\x80\x99s response. Although we agree\nwith the issuance of a CSAM Cloud Inventory Guide, we believe interim measures are needed if\nthe guide will not be ready for publication until January 30, 2016. In order to reach management\ndecision, OCIO needs to provide OIG with interim milestones prior to the proposed publication\ndate of the Cloud Inventory Guide.\n\n\n\n\n                                                              AUDIT REPORT 50501-0005-12      5\n\x0cSection\xc2\xa02:\xc2\xa0\xc2\xa0Cloud\xc2\xa0Contracting\xc2\xa0\nFinding 2: USDA Needs to Include More Detailed Specifications in Its Cloud\nContracts\nWe found that all six cloud contracts in our sample did not contain detailed specifications for the\nagency and the cloud service provider (CSP) to adhere to, including detailed Service Loan\nAgreements (SLA), data preservation responsibilities, roles and responsibilities, Federal\nregulation requirements, and audit and investigative access for OIG. 11 Although the contracts\ntested did contain some of the elements, no one contract included all of the elements. This\noccurred because the Department lacks guidance on a standardized approach to procuring cloud\nservices, including a standard set of requirements for CSPs to adhere to when USDA issues\ncontracts for cloud services. Due to this, USDA has not incorporated adequate service\nagreements in its cloud service contracts. As a result, USDA has not implemented adequate\ncontrols to monitor and manage its CSPs and the data that reside within the systems, exposing\nUSDA data to the risk of loss or exposure to unauthorized parties. Furthermore, because five of\nsix contracts, totaling approximately $66.9 million, did not include detailed SLAs which specify\nhow a provider\xe2\x80\x99s performance would be measured, reported, or monitored, the agencies are not\nable to ensure adequate service levels are met, increasing the risk that Government funds could\nbe misspent or ineffectively used.\n\nNIST recommends that if the terms of the default service agreement do not address all consumer\nneeds, the consumer should discuss modifications of the service agreement with the provider\nprior to use.12 In regards to consumer needs, the CIO council and Chief Acquisition\nOfficers (CAO) council\xe2\x80\x99s cloud best practices report provides specific guidance on how Federal\nagencies should effectively procure cloud services within existing regulations and laws.13 For\nexample, it suggests agencies establish Terms of Service (TOS) agreements that detail how\nend-users may use the services, the CSP\xe2\x80\x99s responsibilities, and how the CSP will deal with\ncustomer data. It also recommends Federal agencies require CSPs to allow forensic\ninvestigations for both criminal and non-criminal purposes. In addition, the agency and CSP\xe2\x80\x99s\nSLA should have clearly defined terms, definitions, and penalties for failure to meet SLA\nperformance measures. Specific details of our testing follow:\n\nService Level Agreement (SLA)\n\nThe SLA defines the expected level of service to be delivered and, in the event that the CSP fails\nto deliver the service at the specified level, the service credit available to the cloud consumer.14\nWe found five of six cloud contracts reviewed lacked detailed SLAs, which should define the\n\n11\n   Data preservation responsibilities address how long the CSP must maintain the agency\xe2\x80\x99s data, whether the agency\nor CSP retains the data ownership rights, and how data are to be sanitized throughout the system lifecycle.\n12\n   The default service level agreements of public clouds specify limited promises that providers make to subscribers,\nlimit the remedies available to subscribers, and outline subscriber obligations in obtaining such remedies. NIST\nSP 800-146, Cloud Computing Synopsis and Recommendations, May 2012.\n13\n   The CIO Council and CAO Council guidance, Creating Effective Cloud Computing Contracts for the Federal\nGovernment Best Practices for Acquiring IT as a Service, February 24, 2012.\n14\n   NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011.\n\n6     AUDIT REPORT 50501-0005-12\n\x0crequired, measurable service levels to be provided by the CSP to the agencies. For example, the\nrequired uptime percentage requires the CSP to maintain a level of system availability to the\nagency for a specified period of time. In regards to uptime percentage, we found that five of six\ncontracts did not specify how a provider\xe2\x80\x99s performance would be measured, reported, or\nmonitored, specifically:\n\n          \xc2\xb7   Two of six contracts reviewed did not specify the required uptime percentages for the\n              CSP.\n\n          \xc2\xb7   Three of four contracts that included uptime requirements did not describe how the\n              uptime percentage was calculated. The method for this calculation is critical so that\n              the agency can verify the uptime percentages stated are being met by the CSP.\n\n          \xc2\xb7   Two of four contracts did not detail remedies to be paid by the CSP to the agency if\n              uptime requirements were not met. NIST 800-146 states that if a CSP fails to provide\n              the stated availability, the CSP should compensate consumers in good faith with a\n              service credit for future use of cloud services.\n\n          \xc2\xb7   One of four contracts did not assign someone from the agency to monitor the actual\n              uptime, compare it to the uptime percentage specified in the contract, and pursue\n              service credits when applicable. NIST 800-146 states that the responsibility for\n              obtaining a service credit is generally placed on the consumer, who must provide\n              timely information to the CSP about the nature and the time length of the outage.\n\nIn total, these contracts are valued at approximately $66.9 million and have no established\nmethod by which to verify that USDA agencies and offices are receiving adequate service levels.\nBy not establishing a method to measure, monitor, and report on the availability of the system, it\nis possible that USDA funds could be misspent or ineffectively used on poorly performing\nsystems. Without agency monitoring and verification of the uptime percentage, the agency\ncannot be assured that a service credit will be received if the specified uptime percentage is not\nmet. We consider the development and implementation of a guide for procuring cloud services\nto be the first step for establishing sufficient cloud services contracts within USDA, which would\ninclude the development of detailed SLAs. Based on this, we are not making a recommendation\nspecific to the absence of detailed SLAs in our sampled contracts.\n\nData Preservation\n\nData preservation responsibilities should address how long the CSP must maintain the agency\xe2\x80\x99s\ndata, whether the agency or CSP retains the data ownership rights, and how data are to be\nsanitized throughout the system lifecycle.15 However, for the six contracts reviewed, we found\nthat five did not include data preservation requirements.\n\n\n\n\n15\n     NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011.\n\n                                                                        AUDIT REPORT 50501-0005-12    7\n\x0cNon-Disclosure Agreements (NDA)\n\nSince CSP personnel have access to and control of the Federal data residing in the cloud system,\nNon-Disclosure Agreements (NDA) are a critical control to ensure CSPs protect the information\nbeing stored in the cloud.16 However, two of six CSPs did not sign an NDA with the agency in\norder to protect non-public information that is procurement-sensitive, or affects pre-decisional\npolicy, physical security, or other information deemed important to protect. Of the four agencies\nthat did establish an NDA with the CSP, we found that all four contracts did not establish a\nmethod for the agency to monitor end-user activities in the cloud environment.17 Defining a\nmethod for the agency to use for monitoring end-user activities provides the agency with a\nprocess to verify adherence to the NDA.\n\nRoles and Responsibilities\n\nIn order to effectively manage cloud services, it is essential that roles and responsibilities are\nclearly defined for the Federal agency, integrators, and the CSP.18 NIST 800-146 states that an\nagency should understand both its responsibilities and those of the CSP before using a cloud\nservice. Accordingly, it is important that all terms are agreed to by the CSPs and the agencies to\nensure that both parties fully understand their duties when providing and using a cloud service.\nDuring our testing, we reviewed the sampled contracts for inclusion of TOS requirements. TOS\nrequirements generally include how end-users may use the services, the responsibilities of the\nCSP, and how the CSP will deal with customer data. Our review found four of six contracts did\nnot contain TOS specifications.\n\nFederal IT Regulatory Requirements\n\nIn addition to contract roles and responsibilities, agencies are subject to unique policy and\nregulatory requirements. Federal agencies must ensure that any selected cloud computing\nsolution is configured, deployed, and managed to meet the security, privacy, and other\nrequirements of the organization.19 Furthermore, NIST states that the Federal Information\nSecurity Management Act (FISMA) and the associated NIST standards and special publications\nare applicable to cloud systems. However, all six contracts reviewed did not completely address\napplicable Federal rules and regulations, such as FISMA, OMB Circular A-123, or the Freedom\nof Information Act.\n\n\n\n\n16\n   The CIO Council and CAO Council guidance, Creating Effective Cloud Computing Contracts for the Federal\nGovernment Best Practices for Acquiring IT as a Service, February 24, 2012.\n17\n   The rules of behavior, which are required in OMB Circular A-130, Appendix III, and are a security control\ncontained in NIST SP 800-53, should clearly delineate responsibilities and expected behavior of all individuals with\naccess to the system. NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems,\nFebruary 2006.\n18\n   An integrator is an individual or organization that builds systems from a variety of diverse components. With the\nincreasing complexity of technology, more customers want complete solutions to information problems, requiring\nhardware, software, and networking expertise in a multivendor environment.\n19\n   NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011.\n\n8     AUDIT REPORT 50501-0005-12\n\x0cAccess to CSP for Audit and Investigative Purposes\n\nOIG offices of audit and investigations must have access to CSP personnel, facilities, and\nFederal agency information to perform their statutory oversight roles. The CIO council and\nCAO council\xe2\x80\x99s cloud best practices report states that Federal agencies should require CSPs to\nallow forensic investigations for both criminal and non-criminal purposes, and these\ninvestigations should be able to be conducted without affecting data integrity and without\ninterference from the CSP.20 We reviewed the sampled contracts for the presence of\nspecifications that relate to this type of access.\n\n     \xc2\xb7   All six contracts reviewed did not include language allowing agencies to conduct forensic\n         investigations for both criminal and non-criminal purposes without interference from the\n         CSP.\n\n     \xc2\xb7   All six contracts did not detail procedures for electronic discovery when conducting a\n         criminal investigation.\n\n     \xc2\xb7   All six contracts did not include language to allow OIG full and unrestricted access to the\n         contractors\xe2\x80\x99 (and subcontractors\xe2\x80\x99) facilities, installations, operations, documentation,\n         databases, and personnel used in performance of the contract in order to conduct audits,\n         inspections, investigations, or other reviews.\n\nWithout proper access to the CSP and the services being provided, OIG cannot verify that\nsecurity controls are in place to reduce risk to a level acceptable to the agency. Additionally,\nlimiting OIG access to CSP facilities and data could compromise and interfere with audits and\ncriminal investigations.\n\nThe nature of cloud computing requires customers to cede control to the CSP on a number of\nissues which may affect security. At the same time, service agreements may not offer or include\na commitment from the CSP to provide such services, thus leaving a gap in security defenses.21\nWithout detailed contract specifications that include SLAs, data preservation responsibilities,\nroles and responsibilities, regulation requirements, and audit and investigative access, USDA\xe2\x80\x99s\ndata stored in the cloud environment are at risk. Additionally, without the ability to determine\nhow the CSPs\xe2\x80\x99 performance is measured, reported, or monitored, USDA does not have the\nability to verify service levels are being met, which increases the risk that USDA\xe2\x80\x99s funds could\nbe misspent or ineffectively used.\n\nWe concluded that it is critical for the Department to develop a consistent approach for cloud\nsystem procurements, including guidance on detailed requirements that must be incorporated into\ncontracts.\n\n\n20\n   Recognizing this issue, the CIGIE IT Committee drafted clauses that would ensure OIG audit and investigative\naccess and proposed their inclusion in the Federal Acquisition Regulation (FAR) to the FAR Council in January\n2012.\n21\n   European Network and Information Security Agency (ENISA), Cloud Computing: Benefits, Risks, and\nRecommendations for Information Security, November 2009.\n\n                                                                         AUDIT REPORT 50501-0005-12               9\n\x0cRecommendation 3\nOCIO needs to develop and implement a guide for procuring cloud systems that details\nspecifications and security requirements to include in the contracts.\n\nAgency Response\n\nOCIO accepts this recommendation. OCIO has completed a draft guide for procuring cloud\nsystem solutions, which contains program solution specifications and security requirements. The\nguide will be issued to the Office of Procurement and Property Management (OPPM) and\nagencies for review and comment. The final guide will be issued by OCIO and OPPM for use\nwith USDA information technology cloud system solution procurement contracts. The estimated\ncompletion date of the CSAM Cloud System Inventory Guide is November 30, 2016.\n\nOIG Position\nWe are unable to reach management decision based on OCIO\xe2\x80\x99s response. Although we agree\nwith the issuance of a guide for procuring cloud systems, we believe interim measures are\nneeded if the guide will not be ready for publication until November 30, 2016. In order to reach\nmanagement decision, OCIO needs to provide OIG with interim milestones prior to the proposed\npublication date of the guide.\n\n\n\n\n10     AUDIT REPORT 50501-0005-12\n\x0cSection\xc2\xa03:\xc2\xa0\xc2\xa0FedRAMP\xc2\xa0Compliance\xc2\xa0\nFinding 3: USDA and CSPs Must Meet FedRAMP Requirements\nWe determined that four of the six reviewed systems were not compliant with the Federal Risk\nand Authorization Management Program (FedRAMP) by the required deadline of June 5, 2014.\nThe owners of the systems were the Natural Resources Conservation Service (NRCS), OCIO,\nand the Risk Management Agency (RMA). Ultimately, this occurred because the Department\ndid not establish a comprehensive inventory of all cloud services. FedRAMP states that\nestablishing an inventory of all cloud services within an agency is a critical step on the path to\nFedRAMP compliance. Once established, the agency needs to work with CSPs to update\ncontractual requirements and determine the path each cloud system will take in order to become\nFedRAMP compliant. Since the Department did not establish an accurate cloud system\ninventory, it could not plan accordingly to ensure cloud services properly achieved FedRAMP\ncompliance. CSPs that were non-compliant were in various stages of preparing their FedRAMP\ncertification review packages for submission. FedRAMP\xe2\x80\x99s purpose is to ensure that cloud-based\nservices have an adequate information security program that addresses the specific\ncharacteristics of cloud computing and provides the level of security necessary to protect\nGovernment information. Failure of the cloud system to address and meet FedRAMP security\ncontrols increases the risk that USDA program data may be compromised, intercepted, or lost,\nwhich could expose the data to unauthorized parties.\n\nFedRAMP was initiated on December 8, 2011, via an OMB policy memo, which addressed the\nsecurity authorization process for cloud computing services.22 In the memo, OMB requires each\nexecutive department or agency to use FedRAMP when conducting risk assessments, security\nauthorizations, and granting an authority to operate (ATO) for use of cloud services.23\nFedRAMP provides a cost-effective, risk-based approach for the adoption and use of cloud\nservices. It includes:\n\n     \xc2\xb7   Standardized security requirements for the authorization and ongoing cybersecurity of\n         cloud services for selected information system impact levels.24\n\n     \xc2\xb7   A conformity assessment program capable of producing consistent independent,\n         third-party assessments of security controls implemented by CSPs.\n\n\n\n22\n   S. VanRoekel, Security Authorization of Information Systems in Cloud Computing Environments,\nDecember 8, 2011.\n23\n   The assessment and authorization process is the new terminology for the former certification and accreditation\nprocess mandated by OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources\n(November 28, 2000). The process requires that IT system controls be documented and tested by technical\npersonnel and that the system be given a formal ATO by an agency official before the system can be operated.\n24\n   The system\xe2\x80\x99s security category is determined in accordance with Federal Information Processing Standard 199.\nAfter the category is determined, the contractor shall apply the appropriate set of baseline controls as required in the\nFedRAMP Cloud Computing Security Requirements Baseline document to ensure compliance with security\nstandards. The FedRAMP baseline controls are based on NIST SP 800-53, Rev. 4.\n\n                                                                           AUDIT REPORT 50501-0005-12               11\n\x0c     \xc2\xb7   Authorization packages of cloud services reviewed by a Joint Authorization Board\n         consisting of security experts from Department of Homeland Security, Department of\n         Defense, and General Services Administration.25\n\n     \xc2\xb7   Standardized contract language to help executive departments and agencies integrate\n         FedRAMP requirements and best practices into acquisitions of cloud systems.\n\n     \xc2\xb7   A repository of authorization packages for cloud services that can be leveraged\n         Government-wide.\n\nDue to the unique risks associated with cloud computing environments, FedRAMP incorporated\ncontrols from NIST 800-53 into its baseline security control framework for use with cloud\nsystems. All cloud services currently implemented were required to meet FedRAMP\nrequirements by June 5, 2014.\n\nWithout complying with FedRAMP, USDA and its agencies could be facing significant\ncloud-related security weaknesses that are, as yet, unknown. It is therefore critical that USDA\nmove, in a timely manner, to bring these systems into compliance.\n\nRecommendation 4\nOCIO needs to conduct oversight to ensure each agency with cloud services obtains FedRAMP\ncompliance.\n\nAgency Response\nOCIO accepts this recommendation. OCIO will provide Department-wide guidance via\nmemorandum to USDA Agencies requiring them to obtain FedRAMP certification of cloud\nservices and will establish an organizational structure to provide oversight to monitor and ensure\nthat USDA agencies cloud services are FedRAMP compliant. The estimated completion date for\nissuing the Departmental Memorandum on FedRAMP Certification is December 30, 2014, and\nthe estimated completion date for the OCIO FedRAMP Oversight Program is March 30, 2015.\n\nOIG Position\nWe accept OCIO\xe2\x80\x99s management decision.\n\nRecommendation 5\nRMA needs to develop a detailed plan to attain FedRAMP compliance for its cloud service that\nis non-compliant.\n\n\n25\n  Authorization packages contain the body of evidence needed by authorizing officials to make risk-based decisions\nregarding the information systems providing cloud services. A package should include, at a minimum, the security\nplan, security assessment report, plan of action and milestones, and a continuous monitoring plan.\n\n12       AUDIT REPORT 50501-0005-12\n\x0cAgency Response\nRMA concurs with the recommendation. RMA is aware that the CSP is pursuing FedRAMP\ncertification by either the Agency Authorization path or the Provisional Authorization Path.\nUSDA is not the Agency Sponsor. RMA will contact the CSP to determine their status on\nattaining FedRAMP certification. Based on CSP information RMA will develop a detailed plan\nto track the CSP's progress toward attaining FedRAMP certification. Given that RMA is not the\nCSP's sponsor, it is not responsible for delays in completing FedRAMP certification but will\ncontinuously monitor the progress and update the plan accordingly. The estimated completion\ndate for the plan is November 30, 2014.\n\nOIG Position\nWe accept RMA\xe2\x80\x99s management decision.\n\nRecommendation 6\nNRCS needs to develop a detailed plan to attain FedRAMP compliance for its cloud service that\nis non-compliant.\n\nAgency Response\nNRCS concurs with the recommendation. NRCS is aware that the CSP is pursuing FedRAMP\ncertification for the CSP software by the Provisional Authorization Path. NRCS will contact the\nCSP to determine their status on attaining FedRAMP certification. Based on the response NRCS\nwill track the CSP\xe2\x80\x99s progress toward attaining FedRAMP certification. Given that NRCS is not\nthe cloud service provider for the software. NRCS is not responsible for delays in completing\nFedRAMP certification but will continuously monitor and track the CSP progress accordingly.\nThe estimated completion date for the plan is November 30, 2014.\n\nOIG Position\nWe accept NRCS\xe2\x80\x99 management decision.\n\nRecommendation 7\nOCIO needs to develop a detailed plan to attain FedRAMP compliance for its cloud service that\nis non-compliant.\n\nAgency Response\nOCIO concurs with the recommendation. OCIO is the Agency Sponsor for the CSP that is\npursuing FedRAMP certification by the Agency Authorization Path. OCIO will work with the\nCSP to determine their status on attaining FedRAMP certification. OCIO will develop a detailed\nplan to track the CSP's progress toward attaining FedRAMP certification. OCIO will\n\n\n                                                           AUDIT REPORT 50501-0005-12       13\n\x0ccontinuously monitor the CSP's progress and update the plan accordingly. The estimated\ncompletion date for the plan is November 30, 2014.\n\nOIG Position\nWe accept OCIO\xe2\x80\x99s management decision.\n\n\n\n\n14     AUDIT REPORT 50501-0005-12\n\x0cScope\xc2\xa0and\xc2\xa0Methodology\xc2\xa0\nThis work was conducted to evaluate USDA\xe2\x80\x99s efforts to adopt cloud-computing technologies in\na manner that complied with current guidance issued by OMB, NIST, and the Department. The\ndocumentation includes results from audit tests of a sample of contracts that USDA and its\nagencies and offices issued for cloud services for compliance with applicable standards.\n\nFor this audit, we obtained an inventory of cloud systems. The information was solicited from\nall agencies and offices within USDA through the use of a survey and did not rely on\ninformation derived from any USDA database.\n\nBased on the information obtained, we attempted to validate the survey results by comparing the\nresults with information housed in CSAM, and to USDA\xe2\x80\x99s Exhibit 53c submission. We\nultimately assembled an audit universe of USDA\xe2\x80\x99s cloud systems consisting of 31 contracts, with\na value of approximately $128.2 million; however, we cannot be certain that we identified all\ncloud systems within USDA. Only cloud systems from commercial service providers were\nincluded in the universe. From the audit universe, we selected a non-statistical sample of six\ncontracts for detailed testing. The sample, with a total value of $68.5 million, was selected based\non a combination of highest dollar value contracts and system risk. Additionally, we reviewed\nrelated contract documentation and guidance, and interviewed applicable personnel in order to\nobtain sufficient and appropriate audit evidence to support our conclusions.\n\nFieldwork was conducted between January and June, 2014 at applicable agency locations in\nWashington, D.C.; Albuquerque, New Mexico; Fort Collins, Colorado; and Kansas City,\nMissouri. In total, our audit work covered four agencies and staff offices:\n\n   \xc2\xb7   NAD\n   \xc2\xb7   NRCS\n   \xc2\xb7   OCIO, and\n   \xc2\xb7   RMA.\n\nWe conducted this audit in accordance with generally accepted government auditing standards.\nThose standards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\n                                                              AUDIT REPORT 50501-0005-12       15\n\x0cAbbreviations\xc2\xa0\nATO ............................ authority to operate\nCAO ............................ Chief Acquisitions Officers\nCIGIE .......................... Council of the Inspectors General on Integrity and Efficiency\nCIO .............................. Chief Information Officer\nCSAM ......................... Cyber Security Assessment and Management\nCSP ............................. cloud service provider\nENISA ......................... European Network and Information Security Agency\nFAR ............................. Federal Acquisition Regulation\nFedRAMP ................... Federal Risk and Authorization Management Program\nFISMA ........................ Federal Information Security Management Act\nIT ................................. information technology\nNAD ............................ National Appeals Division\nNDA ............................ non-disclosure agreement\nNIST ............................ National Institute of Standards and Technology\nNRCS .......................... Natural Resource Conservation Service\nOCIO ........................... Office of the Chief Information Officer\nOIG ............................. Office of Inspector General\nOMB ........................... Office of Management and Budget\nOPPM.......................... Office of Procurement and Property Management\nRMA ........................... Risk Management Agency\nSLA ............................. service level agreement\nSP ................................ special publication\nTOS ............................. terms of service agreements\nUSDA ......................... Department of Agriculture\n\n\n\n\n16      AUDIT REPORT 50501-0005-12\n\x0cExhibit\xc2\xa0A:\xc2\xa0Summary\xc2\xa0of\xc2\xa0Monetary\xc2\xa0Results\xc2\xa0\n\nExhibit A summarizes the monetary results for our audit report by finding and recommendation\nnumber.\n\n   Finding      Recommendation   Description             Amount              Category\n      2               3        CSP Contract           $66,871,914       Questioned Costs, No\n                               Performance                              Recovery\n                               Measurement,                             Recommended\n                               Reporting, and\n                               Monitoring\nTotal                                                 $66,871,914\n\n\n\n\n                                                          AUDIT REPORT 50501-0005-12      17\n\x0c18   AUDIT REPORT 50501-0005-12\n\x0cAgency's\xc2\xa0Response\xc2\xa0\n\n\n\n\n                        USDA\xe2\x80\x99S\xc2\xa0\n               RESPONSE\xc2\xa0TO\xc2\xa0AUDIT\xc2\xa0REPORT\xc2\xa0\n\n\n\n\n                                 AUDIT REPORT 50501-0005-12   19\n\x0c\x0c                                       United States Department of Agriculture\n\n\n\nDepartmental          TO:               Gil H. Harden\nManagement\n                                        Assistant Inspector General for Audit\nOffice of the Chief                     Office of Inspector General\nInformation Officer\n\n1400 Independence     FROM:             Cheryl L. Cook                         /s/ Joyce Hunter SEP 19 2014\nAvenue S.W.                             Chief Information Officer                    FOR\nWashington, DC\n20250                                   Office of the Chief Information Officer\n\n                                        Brandon Willis                           /s/ SEP 22 2014\n                                        Administrator\n                                        Risk Management Agency\n\n                                        Jason Weller                         /s/ SEP 19 2014\n                                        Chief\n                                        Natural Resources Conservation Service\n\n\n                      SUBJECT:          Response to Official Draft Report, 50501-0005-12, USDA\xe2\x80\x99s\n                                        Implementation of Cloud Computing Services\n\n\n                      The Office of the Chief Information Officer (OCIO), the Office of Procurement and\n                      Property Management (OPPM), the Risk Management Agency (RMA), and the\n                      Natural Resources Conservation Service (NRCS) have reviewed the Official Draft\n                      Report, 50501-0005-12, USDA\xe2\x80\x99s Implementation of Cloud Computing Services and\n                      submit the following response to OIG\xe2\x80\x99s recommendations.\n                      Recommendation 1\n                      The Office of the Chief Information Officer (OCIO) needs to establish a definition of\n                      cloud computing systems for use within USDA that is consistent with the National\n                      Institute of Standards and Technology (NIST) guidance.\n                      Agency Response: OCIO accepts this recommendation. OCIO has completed a draft\n                      cloud policy that is consistent with NIST guidance, and contains a comprehensive\n                      definition of cloud computing systems. The draft is being vetted internally to OCIO\n                      for review and comment, prior to being released for formal Department-wide\n                      coordination and approval\n                         \xef\x82\xb7   Departmental Regulation on Cloud Computing Policy\n                             Target Completion Date: November 30, 2016\n\n\n                      Recommendation 2\n\n\n\n\n                      AN EQUAL OPPORTUNITY EMPLOYER\n\x0cOCIO needs to create and maintain an accurate cloud system inventory and work with\nagencies to ensure their adherence to reporting requirements.\n\n\nAgency Response: OCIO accepts this recommendation. OCIO will collaborate with\nUSDA agencies to review CSP systems in CSAM and develop guidelines as to how\nCSP systems are to be recorded in CSAM so that future reporting is complete and\naccurate.\n  \xef\x82\xb7 CSAM Cloud System Inventory Guide\n     Target Completion Date: January 30, 2016\n\n\nRecommendation 3\nOCIO needs to develop and implement a guide for procuring cloud systems that\ndetails specifications and security requirements to include in the contracts.\nAgency Response: OCIO accepts this recommendation. OCIO has completed a\ndraft guide for procuring cloud system solutions, which contains program solution\nspecifications and security requirements. The guide will be issued to OPPM and\nagencies for review and comment. The final guide will be issued by OCIO and OPPM\nfor use with USDA information technology cloud system solution procurement\ncontracts.\n   \xef\x82\xb7   Departmental Regulation on Cloud Computing Policy\n       Target Completion Date: November 30, 2016\n\n\nRecommendation 4\nThe Office of the Chief Information Officer (OCIO) needs to conduct oversight to\nensure each agency with cloud services obtain Federal Risk and Authorization\nManagement Program (FedRAMP) compliance.\nAgency Response: OCIO accepts this recommendation. OCIO will provide\nDepartment-wide guidance via memorandum to USDA Agencies requiring them to\nobtain FedRAMP certification of cloud services and will establish an organizational\nstructure to provide oversight to monitor and ensure that USDA agencies cloud\nservices are FedRAMP compliant.\n   \xef\x82\xb7   Departmental Memorandum on FedRAMP Certification\n       Target Completion Date: December 30, 2014\n\n   \xef\x82\xb7   OCIO FedRAMP Oversight Program\n       Target Completion Date: March 30, 2015\n\n\nRecommendation 5\n\nThe Risk Management Agency (RMA) needs to develop a detailed plan to attain\n\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0cFedRAMP compliance for its cloud service that is non-compliant.\n\nAgency Response: RMA concurs with the recommendation. RMA is aware that the\nCSP is pursuing FedRAMP certification by either the Agency Authorization path or\nthe Provisional Authorization Path. USDA is not the Agency Sponsor. RMA will\ncontact the CSP to determine their status on attaining FedRAMP certification. Based\non CSP information RMA will develop a detailed plan to track the CSP's progress\ntoward attaining FedRAMP certification. Given that RMA is not the CSP's sponsor,\nit is not responsible for delays in completing FedRAMP certification but will\ncontinuously monitor the progress and update the plan accordingly.\n\n\xef\x82\xb7    RMA CSP FedRAMP Certification Tracking Plan\n     Target Completion Date: November 30, 2014\n\n\nRecommendation 6\nThe Natural Resources Conservation Service (NRCS) needs to develop a detailed\nplan to attain FedRAMP compliance for its cloud service that is non-compliant.\n\nAgency Response: NRCS concurs with the recommendation. NRCS is aware that\nPega Systems is pursuing FedRAMP certification for the PEGA software by the\nProvisional Authorization Path. NRCS will contact Pega Systems to determine their\nstatus on attaining FedRAMP certification. Based on Pega Systems response NRCS\nwill track PEGA\xe2\x80\x99s progress toward attaining FedRAMP certification. Given that\nNRCS is not the cloud service provider for PEGA software. NRCS is not responsible\nfor delays in completing FedRAMP certification but will continuously monitor and\ntrack Pega Systems progress accordingly.\n\n\xef\x82\xb7    NRCS CSP FedRAMP Certification Tracking Plan\n     Target Completion Date: November 30, 2014\n\n\nRecommendation 7\nOCIO needs to develop a detailed plan to attain FedRAMP compliance for its cloud\nservice that is non-compliant.\n\nAgency Response: OCIO concurs with the recommendation. OCIO is the Agency\nSponsor for the CSP that is pursuing FedRAMP certification by the Agency\nAuthorization Path. OCIO will work with the CSP to determine their status on\nattaining FedRAMP certification. OCIO will develop a detailed plan to track the\nCSP's progress toward attaining FedRAMP certification. OCIO will continuously\nmonitor the CSP\xe2\x80\x99s progress and update the plan accordingly.\n\n\xef\x82\xb7    OCIO CSP FedRAMP Certification Tracking Plan\n\n     Target Completion Date: November 30, 2014\n\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0ccc:       Jane Bannon, Program Manager, OIG\n          Christopher Wren, OCIO Audit Liaison\n          Lennetta Elias, OCFO Audit Liaison\n\n\n\n\nAN EQUAL OPPORTUNITY EMPLOYER\n\x0cTo learn more about OIG, visit our website at\nwww.usda.gov/oig/index.htm\nHow To Report Suspected Wrongdoing in USDA Programs\n\nFraud, Waste and Abuse\ne-mail: USDA.HOTLINE@oig.usda.gov\nphone: 800-424-9121\nfax: 202-690-2474\n\nBribes or Gratuities\n202-720-7257 (24 hours a day)\n\n\n\n\nThe U.S. Department of Agriculture (USDA) prohibits discrimination in all of its programs and activities on\nthe basis of race, color, national origin, age, disability, and where applicable, sex (including gender identity\nand expression), marital status, familial status, parental status, religion, sexual orientation, political beliefs,\ngenetic information, reprisal, or because all or part of an individual\xe2\x80\x99s income is derived from any public\nassistance program. (Not all prohibited bases apply to all programs.) Persons with disabilities who require\nalternative means for communication of program information (Braille, large print, audiotape, etc.) should\ncontact USDA\xe2\x80\x99s TARGET Center at (202) 720-2600 (voice and TDD).\n\nTo file a complaint of discrimination, write to USDA, Assistant Secretary for Civil Rights, Office of the\nAssistant Secretary for Civil Rights, 1400 Independence Avenue, S.W., Stop 9410, Washington, DC 20250\xc2\xad\n9410, or call toll-free at (866) 632-9992 (English) or (800) 877-8339 (TDD) or (866) 377-8642 (English\nFederal-relay) or (800) 845-6136 (Spanish Federal relay).USDA is an equal opportunity provider and employer.\n\x0c"